b"                               NATIONAL SCIENCE FOUNDATION\n                                    4201 WILSON BOULEVARD\n                        ,          ARLINGTON, VIRGINIA 22230\n\n\n\n\n    OFFICE OF\nINSPECTOR GENERAL\n\n  MEMORANDUM\n\n  FROM:\n\n\n  Via:\n                -1                        Special Agen\n                                                   .st&\n                                                          -\n                                             t Inspector General for Investigations\n\n  DATE:\n\n  RE:               Case Closeout #I99070032\n\n\n\n\n On July 19,1999 OIG was notified by      -\n The NSF administers the United States Antarctic Program (USAP) for the entire Federal\n Government through a contract for support operations to the USAP. Network\n administration and other IT operations for the USAP are included as part of the\n contractor's duties.\n\n                                                       Manager of Technology\n Development, Office of Polar Programs (OPP) that intruders had illegally accessed six\n U.S. Polar Program servers at the South Pole Station, McMurdo Stations, and ASA\n Headquarters in the June and July 1999 timeframe. The six known compromised systems\n include oak.spole.gov (199.4.250. I), pamandal .spole.gov (204.89.132.91), and\n pamanda2.spole.gov (204.89.132.92) at South Pole Station; terror.mcmurdo.gov\n (1 57.132.107.66) and vinson.mcmurdo.gov (157.132.1 19.50) at McMurdo Station; and\n www.asa.org (198.59.57.65) at ASA Headquarters.\n\n The calculated financial damages are based on estimated expended labor resources\n including ASA Headquarters, South Pole, and McMurdo personnel and procured new\n hardware at Denver. These damages do not include labor and hardware costs for the\n pamandal and pamanda2 servers'.\n   -        -\n\n\n\n ' The parnanda servers are administered under the control of Antarctic Muon and Neutrino\n Detector Array (AMANDA) Project scientists, though they share South Pole Network and have a\n trust relationship with oak.spole.gov (under full ASA control). AMANDA, funded by NSF\n Physics Division and Polar Programs, is a collaborated project composed of the\n\x0c  In addition to financial damages, other likely damages and risks include compromised\n  user accounts and passwords at South Pole and McMurdo Stations .and unauthorized\n  access to proprietary scientific data fiom the AMANDA Project.\n\n Investigation\n\n Analysis of the available log evidence for the South Pole (oak.spole.gov only2) and\n McMurdo intrusions, provided to OIG Agents, indicates the intrusions or attempts to\n intrude backdated to March through May 1999 timeframe, and originated from multiple\n international Internet Service Provider (ISP) accounts as a points of unauthorized entry or\n target reconnaissance. The logs capture only four intruder ISP accounts, which originate\n fiom the U.S. (MCI World Com, EarthLink, and US West) and Canada (Rogers@Home).\n The other intruder IP addresses for the South Pole and McMurdo intrusions originate\n primarily from Brazil and Chile.\n\n The OIG Agent sent 2703 (f) letters notifying the three U.S. ISPs of a potential 2703\n Court Order for all subscriber and transactional data. The Agent contacted the Canadian\n Royal Mounted Police, Computer Crime Division for investigative assistance regarding\n the Canadian ISP. We referred the case to the Eastern District of Virginia, U.S.\n Attorney's Office to request Court Orders and coordination. Subsequently, in December,\n we established the four ISPs no longer had the requested subscriber and transactional\n information, as most ISPs commonly do not backup beyond one month.\n                        ,   '\n\n\n\n Findings\n\nAs a result of the inability to trace the first point of the intrusions, we were fbrced to\nclose the case unsolved. We subsequently communicated recommendations to OPP for\nupgrading station network security and future incident response coordination, due to our\nassessment that South Pole and McMurdo servers remain likely and easy targets.\n\n\n\n\n  The only pamandal and pamanda2 logs in our possession are the logs attached to the CERT. It appears\nthat these logs represent activity captured by the intruder's sniffer.\n\x0c"